Page 3 of 29 results (0.007 seconds)

CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in Gallery 3 before 3.0.4 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en Gallery v3 anterior a v3.0.4 permite a atacantes remotos inyectar código web o HTML arbitrario a través de vectores no especificados. • http://gallery.menalto.com/gallery_3_0_4 http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082954.html http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082995.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.0EPSS: 0%CPEs: 12EXPL: 0

Unrestricted file upload vulnerability in modules/gallery/models/item.php in Menalto Gallery before 3.0 and beta allows remote authenticated users with upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. Vulnerabilidad de subida de archivos sin restricciones en modules/gallery/models/item.php en Menalto Gallery anterior a v3.0 y beta permite a usuarios autenticados de forma remota con permisos de subida ejecutar código de su elección subiendo un archivo con una extensión ejecutable, y después accediendo a él a través de una petición directa al archivo en un directorio no especificado. • http://gallery.menalto.com/gallery_3.0.1_released http://osvdb.org/70628 http://secunia.com/advisories/43028 http://www.securityfocus.com/bid/45964 https://exchange.xforce.ibmcloud.com/vulnerabilities/64870 •

CVSS: 4.0EPSS: 0%CPEs: 7EXPL: 0

Gallery before 1.5.9, and 2.x before 2.2.6, does not properly handle ZIP archives containing symbolic links, which allows remote authenticated users to conduct directory traversal attacks and read arbitrary files via vectors related to the archive upload (aka zip upload) functionality. Gallery, versiones anteriores a 1.5.9, y 2.x y versiones anteriores a 2.2.6, no trata adecuadamente archivos ZIP que contienen enlaces simbólicos, el cual permite a los usuarios remotos autentificados manejar los ataques de salto de directorio y leer archivos arbitrariamente a través de vectores relativos a el fichero cargado funcionalmente (alias zip cargado). • http://gallery.menalto.com/gallery_1.5.9_released http://gallery.menalto.com/gallery_2.2.6_released http://secunia.com/advisories/31912 http://secunia.com/advisories/32662 http://secunia.com/advisories/33144 http://security.gentoo.org/glsa/glsa-200811-02.xml http://www.securityfocus.com/bid/31231 https://exchange.xforce.ibmcloud.com/vulnerabilities/45228 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html https://www.redhat.com/archives/fedora-package& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0

Cross-site scripting (XSS) vulnerability in Gallery 2.x before 2.2.6 allows remote attackers to inject arbitrary web script or HTML via a crafted Flash animation, related to the ability of the animation to "interact with the embedding page." Vulnerabilidad de secuencias de comandos en sitios cruzados - XSS en Gallery 2.x y versiones anteriores a 2.2.6 que permite a los atacantes remotos inyectar una secuencia de comandos web o HTML arbitrarios a través de una animación Flash manitulada, en relación a la habilidad de la animación a "interactuar con la página incrustada" • http://gallery.menalto.com/gallery_2.2.6_released http://secunia.com/advisories/31858 http://secunia.com/advisories/32662 http://secunia.com/advisories/33144 http://security.gentoo.org/glsa/glsa-200811-02.xml http://www.securityfocus.com/bid/31231 https://exchange.xforce.ibmcloud.com/vulnerabilities/45227 https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00794.html https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00832.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0

Gallery before 1.5.9, and 2.x before 2.2.6, does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. Gallery, versiones anteriores a 1.5.9, 2.x y versiones anteriores a 2.2.6 no asigna el indicador seguro para la cookie de sesión en una sesión https, el cual puede causar que la cookie sea enviada en una petición http y hacer más fácil a los atacantes remotos capturar esta cookie. • http://gallery.menalto.com/gallery_1.5.9_released http://gallery.menalto.com/gallery_2.2.6_released http://int21.de/cve/CVE-2008-3662-gallery.html http://seclists.org/fulldisclosure/2008/Sep/0379.html http://secunia.com/advisories/32662 http://secunia.com/advisories/33144 http://security.gentoo.org/glsa/glsa-200811-02.xml http://www.securityfocus.com/archive/1/496509/100/0/threaded http://www.securityfocus.com/bid/31231 https://www.redhat.com/archives/fedora-package&# • CWE-310: Cryptographic Issues •